{"description": "To configure rsyslog to send logs to a remote log server,\nopen /etc/rsyslog.conf and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstituting appropriately.\nThe choice of protocol depends on the environment of the system;\nalthough TCP and RELP provide more reliable message delivery,\nthey may not be supported in all environments.\n
\nTo use UDP for log message delivery:\n*.* @
\n
\nOr in RainerScript:\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"udp\")
\n
\nTo use TCP for log message delivery:\n*.* @@
\n
\nOr in RainerScript:\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"tcp\")
\n
\nTo use RELP for log message delivery:\n*.* :omrelp:
\n
\nOr in RainerScript:\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"relp\")
\n
\nThere must be a resolvable DNS CNAME or Alias record set to \"\" for logs to be sent correctly to the centralized logging utility.", "rationale": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.", "severity": "medium", "references": {"cis-csc": ["1", "13", "14", "15", "16", "2", "3", "5", "6"], "cobit5": ["APO11.04", "APO13.01", "BAI03.05", "BAI04.04", "DSS05.04", "DSS05.07", "MEA02.01"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(5)(ii)(B)", "164.308(a)(5)(ii)(C)", "164.308(a)(6)(ii)", "164.308(a)(8)", "164.310(d)(2)(iii)", "164.312(b)", "164.314(a)(2)(i)(C)", "164.314(a)(2)(iii)"], "isa-62443-2009": ["4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.17.2.1"], "nerc-cip": ["CIP-003-8 R5.2", "CIP-004-6 R3.3"], "nist": ["CM-6(a)", "AU-4(1)", "AU-9(2)"], "nist-csf": ["PR.DS-4", "PR.PT-1"], "srg": ["SRG-OS-000479-GPOS-00224", "SRG-OS-000480-GPOS-00227", "SRG-OS-000342-GPOS-00133"], "anssi": ["R71"], "ism": ["0988", "1405"]}, "control_references": {"anssi": ["R71"], "ism": ["0988", "1405"]}, "components": [], "identifiers": {}, "ocil_clause": "no evidence that the audit logs are being off-loaded to another system or media", "ocil": "To ensure logs are sent to a remote host, examine the file\n/etc/rsyslog.conf.\nIf using UDP, a line similar to the following should be present:\n *.* @
\nor\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"udp\")
\nIf using TCP, a line similar to the following should be present:\n *.* @@
\nor\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"tcp\")
\nIf using RELP, a line similar to the following should be present:\n *.* :omrelp:
\nor\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"relp\")
", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to off-load audit records onto a different system or media from the system being audited by specifying the remote logging server in \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/[customfile].conf\" with the name or IP address of the log aggregation server.\n\n*.* @@[remoteloggingserver]:[port]\"\nor\n*.* action(type=\"omfwd\" ... target=\"\" protocol=\"relp\")
", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 audit records must be off-loaded onto a different system or storage media from the system being audited.", "warnings": [{"functionality": "It is important to configure queues in case the client is sending log\nmessages to a remote server. If queues are not configured,\nthe system will stop functioning when the connection\nto the remote server is not available. Please consult Rsyslog\ndocumentation for more information about configuration of queues. The\nexample configuration which should go into /etc/rsyslog.conf\ncan look like the following lines:\n\n$ActionQueueType LinkedList\n$ActionQueueFileName queuefilename\n$ActionQueueMaxDiskSpace 1g\n$ActionQueueSaveOnShutdown on\n$ActionResumeRetryCount -1\n
\nOr if using Rainer Script syntax, it could be:\n*.* action(type=\"omfwd\" queue.type=\"linkedlist\" queue.filename=\"example_fwd\" action.resumeRetryCount=\"-1\" queue.saveOnShutdown=\"on\" target=\"example.com\" port=\"30514\" protocol=\"tcp\")
"}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.", "vuldiscussion": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOffloading is a common process in information systems with limited audit storage capacity.\n\nUbuntu 22.04 installation media provides \"rsyslogd\", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with \"gnutls\" (a secure communications library implementing the SSL, TLS and DTLS protocols) creates a method to securely encrypt and offload auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\n\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.", "checktext": "Verify that Ubuntu 22.04 audit system offloads audit records onto a different system or media from the system being audited via rsyslog using TCP with the following command:\n\n$ grep -i 'type=\"omfwd\"' /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n*.* action(type=\"omfwd\" target=\"[remoteloggingserver]\" protocol=\"tcp\" port=\"[port]\"\n\nIf a remote server is not configured, or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are offloaded to a different system or media.\n\nIf there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to offload audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in \"/etc/rsyslog.conf\"\" or \"/etc/rsyslog.d/[customfile].conf\" with the name or IP address of the log aggregation server.\n\n*.* @@[remoteloggingserver]:[port]\""}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure Logs Sent To Remote Host", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml", "template": null}